Marriott faces a £99 million GDPR fine as the ICO reports public awareness of information rights is soaring

The GDPR fines keep stacking up with hotel chain Marriott now facing a hefty bill.

It’s been a busy week for the UK Information Commissioner’s Office (ICO) which has topped off its record GDPR fine for British Airways (BA) with another hefty swing in the direction of the Marriott hotel chain.

On Monday the ICO announced it plans to impose a £183.39 million fine on BA following its handling of a data breach resulting from a cyber-security attack last summer. That’s the largest penalty proposed under the GDPR [General Data Protection Regulation] regime.

Next in line is Marriott International which is looking down the barrel of a £99.2 million fine. Once against this relates to a cyber-attack which exposed personal data relating top around 30 million related to residents of 31 countries in the European Economic Area (EEA). This was reported to the ICO in November last year when it was discovered, although the breach itself appears to date back to 2014.

Information Commissioner Elizabeth Denham said:

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.

In common with BA, Marriott has the right to appeal the ruling.

What’s interesting in this case is that the breach originated in the IT systems of Starwood Hotel Group which was purchased by Marriott in 2016. Marriott faces the fine because it took another two years for it to uncover and disclose the problem. The ICO deems this to represent insufficient due diligence prior to the acquisition and a failure to properly secure the systems against attack.

When Facebook was fined £500,000 in October last year, the point was made that this was because the incidents involved took place prior to GDPR entering into force and as such this was the maximum penalty possible under the previous Data Protection Act.

While the Marriott incident also began before GDPR, it’s facing its penalty due to failure to discover and disclose the breach until after GDPR was adopted. The outcome of any appeal in this case will inevitably set a precedent to which other organisations will be paying close attention.

ICO update

GDPR brings enhanced rights for the public, and the past year has been pivotal in public awareness of data protection rights. The doubling of concerns raised with our office reflects that. The GDPR also brought in a step change in how organisations approach data protection. It increased the onus on organisations to take a proactive approach to data protection, identifying what risks they were creating through their use of data, and working to reduce and mitigate those risks. The greater enforcement powers granted to regulators helped to establish compliance as a board level issue.

It is early stages, but the GDPR has so far demonstrated that it is a law that can work alongside emerging technologies and creative approaches. There’s no dichotomy between digital innovation and data protection. But progress relies on consumers trusting organisations with their data, and organisations stand at the front line on this.

The ICO reports that end users are becoming more aware of their rights in the wake of data privacy scandals such as Facebook and Cambridge Analytica. A survey of Data Protection Officers (DPO) carried out in March this year found that nearly two-thirds (64%) of respondents say they have seen an increase in customers and service users exercising their information rights since 25 May 2018 when GDPR kicked in.

For its part, the ICO has seen an uptick in its own activities. The number of contacts with individuals or businesses climbed 66% year-on-year, from 283,727 during 2017/18 to 471,224 over the past year. Meanwhile complaints from members of the public have soared from 21,019 in 2017/18 to 41, 661 in 2018/19. Denham observes:

So many of our conversations are around the use of personal data in digital services.

Source: ICO Annual Report.

The ICO is pleased with the progress it’s seen among organisations in terms of their readiness to adopt and adapt to GDPR in general and the UK’s own Data Protection Act 2018. The ICO report notes that this is a ‘work in progress’ :

We recognise that GDPR and DPA 2018 have placed a significant responsibility on DPOs, bringing with it the ongoing challenge of normalising the new regulations and embedding them as “business as usual” in their organisations.

It adds:

Maintaining momentum will be key. There is still a long way to go to truly embed GDPR and DPA 2018 and to truly understand the impact of the new legislation – in our survey nearly 50% of respondents reported that they had faced unexpected consequences as a result of GDPR and DPA 2018. In 2019-20 we will continue to work to support organisations in dealing with all aspects of GDPR and DPA 2018.

My take

The ICO annual report is very encouraging, indicating growing awareness of privacy rights among the public at large and of GDPR obligations among businesses. The BA and Marriott fines - still to be finalised, of course - are also welcome indicators that the ICO is ready to wield a big stick where necessary. US organizations will look particularly closely at whatever the outcome of the Marriott fine ends up being. With a year of GDPR now passed, the next 12 months will be very telling in terms of monitoring the number of complaints and the level of fines that result.